The Encrypted Data Plugin provides an encrypted space “Safe Zone” to the machine where corporate applications can be restricted to storing their data.
Today’s post focuses on the foundations of encrypted disk volumes. The principles here are common to the fast majority of encrypted disk systems including at a minimum, TrueCrypt, DiskCryptor, FreeOTFE, PGPDisk and likely a bunch of others.
The tech preview of the Encrypted data plug-in uses open source DiskCryptor as the volume encryption solution, though we have adjusted it a bit, mostly to fix some colorful screens that were experienced when the device driver came to life.
Headers and payload
Whether stored on a physical partition or stored inside a container file, encrypted disk volumes behave largely the same. There is a “header” and there is “payload”.
The header stores a number of things, but the #1 thing of importance in the header is a “volume key”. The header may be stored one or more times, providing facility for more than one password to decrypt the header.
The volume key is the “secret” used to encrypted and decrypt the disk blocks as viewed from the operating system. The header is encrypted/decrypted using the user provided password or “pass phrase”. Since the job of the pass phrase is to securely store the header, it is possible to store multiple copies of the header, each encrypted with a different password. The device driver reads the header, does math with the user provided pass phrase/password and then gets the volume key. DiskCryptor and the Encrypted Data Plug-in store only one copy of the header.
Once the header is decrypted using the user provided password, the volume key is then used by the device driver to do math on the disk blocks of the data storage space. This math is done during disk reads and writes to convert a physical scrambled version of data into a “enclear” version which is usable to applications.
The diagram below shows one header and one disk volume.
On the bottom in green is all the stuff that is physically stored, everything else is in memory.
For DiskCryptor, the green area is required to be a true physical disk volume. The physical volume is then reflected to the system as a slightly smaller version of the physical disk space; this is because the header occupies a small portion of space before the rest of the partition can be used for storage of user data.
This same concept applies for container files where for example TrueCrypt uses a “.tc” file to store the volume and PGPDisk uses .pgd. In all cases, a small portion of the file holds the header and the majority of the file holds encrypted disk data blocks. The ratio of header space to payload is along the lines of 2KB vs. 20GB. Doing math on the header is “fast” because the space is small. Doing math on all of the payload can be a time consuming operation because it is gigantic; fortunately it is only done when needed as a function of reading or writing to disk blocks at which point the CPU time spent on this disappears into the noise of running the machine. Yes, the impact can likely be measured, but stick with me on the idea that it is small.
VHD file used as the container
For the Encrypted Data Plug-in, we have elected to store the container inside a mounted VHD which the plug-in creates and manages. From this point, we can have DiskCryptor mount the VHD space believing that it is a physical volume and then let the encryption system do it’s work of presenting an encrypted disk to the machine.
The DiskCryptor encryption system focuses on providing an encrypted disk image to the machine and the Citrix development team can focus on regulating approval for “corporate” applications to view into the encrypted space as well as Citrix Receiver integration and overall management of the machine. I will save this for a later post.
Put it all together and it’s a pretty neat solution for storing corporate data onto user computers where deep modification of the machine is to be avoided, such as BYOC.
The Encrypted data plug-in Technology Preview is available for download, MyCitrix logon is required. We look forward to your feedback and comments and can provide information and support through our forum located here: http://forums.citrix.com/forum.jspa?forumID=1013. Also check out a video overview providing a walk-through of the capabilities of this technology.
Product Architect – Citrix Systems XenApp Product Group
App Streaming, Profile Manager, Encrypted Data Plug-in